The Point: Multiple vulnerabilities in Jenkins enable remote code execution, phishing, authentication bypass, and unauthenticated data access.
The BSI warns of several vulnerabilities in Jenkins that allow attackers to execute arbitrary code and bypass security controls. The gaps affect core Jenkins functionality and require timely action in affected infrastructures.
The Federal Office for Information Security (BSI) has identified multiple vulnerabilities in Jenkins whose exploitation enables various attack scenarios. The gaps allow authenticated or unauthenticated attackers to execute arbitrary code on affected systems.
Additionally, the vulnerabilities can be exploited for authentication bypass by allowing attackers to impersonate legitimate users. It is also possible to redirect users to attacker-controlled domains to conduct phishing or malware distribution. The gaps also enable circumventing security measures, disclosure and manipulation of data, as well as cross-site scripting attacks.
Jenkins is frequently used in CI/CD pipelines for automated build and deployment processes. For CISOs, this means that successful exploitation can have far-reaching consequences: from manipulation of source code and binaries, to compromising downstream systems, to theft of credentials and secrets stored in Jenkins jobs. Prioritization of patches and rapid inventory of affected Jenkins installations are required.
Source: wid.cert-bund.de · Published 11 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.